Page Comparison

This template is intended to be This template is intended to be used to document the outcome of the impact analysis related to the known vulnerability reported by Nexus-IQ (CLM tab in Jenkins). Nexus-IQ can identify the known vulnerabilities contained in the components use by onap components.

...

Vulnerable artifactscorecorecorecorecorecorecorecorecore:2.2.1-SNAPSHOT

Vulnerability report:

CVE-2017-7525

Repository	Group	Impact Analysis	Action
dcaegen2/analytics/tca-gen2	com.fasterxml.jackson.core	Vulnerable artifact: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-model:jar:3.0.0-SNAPSHOT Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-tca-core:jar:3.0.0-SNAPSHOT Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-tca-model:jar:3.0.0-SNAPSHOT Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-tca-web:jar:3.0.0-SNAPSHOT Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-test:jar:3.0.0-SNAPSHOT Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-web:jar:3.0.0-SNAPSHOT Vulnerability report: SONATYPE-2017-0312 `jackson-databind` is vulnerable to Remote Code Execution (RCE). The `createBeanDeserializer()` function in the `BeanDeserializerFactory` class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.	DCAEGEN2-765 False Positive Classification Reasoning to be confirmed if identified Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vulnerable by CVE-2018-7489. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method.
dcaegen2/analytics/tca-gen2	org.springframework	spring-aop Vulnerability report CVE-2018-1258	DCAEGEN2-765 Update spring-aop to newer version 5.0.8.RELEASE version
dcaegen2/analytics/tca-gen2	org.springframework.data	spring-data-commons Vulnerability report CVE-2018-1259	DCAEGEN2-765 Update spring-data-commons to 2.0.8.RELEASE version
dcaegen2/analytics/tca	com.fasterxml.jackson.core	Vulnerable artifact: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-model:jar:3.0.0-SNAPSHOT Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-tca-core:jar:3.0.0-SNAPSHOT Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-tca-model:jar:3.0.0-SNAPSHOT Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-tca-web:jar:3.0.0-SNAPSHOT Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-test:jar:3.0.0-SNAPSHOT Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.analytics.tca-gen2:dcae-analytics-web:jar:3.0.0-SNAPSHOT Vulnerability report: SONATYPE-2017-0312 `jackson-databind` is vulnerable to Remote Code Execution (RCE). The `createBeanDeserializer()` function in the `BeanDeserializerFactory` class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.	False Positive Classification Reasoning to be confirmed if identified Jackson is only used for converting between POJO to JSON, not the other direction which is reported as vulnerable by CVE-2018-7489. The member call used is ObjectMapper.writeValueAsString. not the risky readValue method.	dcaegen2/analytics/tca	com.fasterxml.jackson.core	-databind:jar:2.4.4 Vulnerable artifact: Dependency com.fasterxml.jackson.core:jackson-	databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-aai:jar:2.2.1-SNAPSHOT Dependency com.fasterxml.jackson.core:jackson-	databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-cdap-common:jar:2.2.1-SNAPSHOT Dependency com.fasterxml.jackson.core:jackson-	databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-cdap-plugins:jar:2.2.1-SNAPSHOT Dependency com.fasterxml.jackson.core:jackson-	databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-cdap-tca:jar:2.2.1-SNAPSHOT Dependency com.fasterxml.jackson.core:jackson-	databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-common:jar:2.2.1-SNAPSHOT Dependency com.fasterxml.jackson.core:jackson-	databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-dmaap:jar:2.2.1-SNAPSHOT Dependency com.fasterxml.jackson.core:jackson-	databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-it:jar:2.2.1-SNAPSHOT Dependency com.fasterxml.jackson.core:jackson-	databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-model:jar:2.2.1-SNAPSHOT Dependency com.fasterxml.jackson.core:jackson-	databind:jar:2.4.4 located at Module org.onap.dcaegen2.analytics.tca:dcae-analytics-tca:jar	:2.2.1-SNAPSHOT Vulnerability report: `CVE-2017-7525` `jackson-databind` is vulnerable to Remote Code Execution (RCE). The `createBeanDeserializer()` function in the `BeanDeserializerFactory` class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.	False Positive Classification Reasoning There is no use of `BeanDeserializerFactory` class in artifact "dcae-analytics-model". Hence we believe that this vulnerability report is a false positive.
dcaegen2/analytics/tca	com.fasterxml.jackson.core	jackson-core:2.4.4 Vulnerable artifacts: <same as jackson-databind 2.4.4 above> Vulnerability report: SONATYPE-2016-0397 SONATYPE-2017-0355	False Positive Classification Reasoning to be confirmed There is no use of either `UTF8StreamJsonParser` or `ReaderBasedJsonParser` class in artifact "dcae-analytics-model".
dcaegen2/collectors/datafile	org.apache.tomcat.embed	tomcat-embed-core Vulnerability report CVE-2018-8014	Update DCAEGEN2-764 Update tomcat-embed-core to 8.5.32 version
dcaegen2/collectors/datafile	org.bouncycastle	bcprov-jdk15on Vulnerability report CVE-2018-1000613 CVE-2018-1000180	DCAEGEN2-764 Upgrade version. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
dcaegen2/collectors/datafile	com.fasterxml.jackson.core	Vulnerable artifacts: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.collectors.datafile:datafile-app-server:jar:1.0.0-SNAPSHOT Vulnerability report: SONATYPE-2017-0312 `jackson-databind` is vulnerable to Remote Code Execution (RCE). The `createBeanDeserializer()` function in the `BeanDeserializerFactory` class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.	DCAEGEN2-764 To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995).
dcaegen2/collectors/datafile	org.springframework	Vulnerability report CVE-2018-1258	Update DCAEGEN2-764 Update spring-aop to newer version 5.0.8.RELEASE version
dcaegen2/collectors/hv-ves	com.fasterxml.jackson.core	jackson-databind Vulnerable artifacts: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-coverage:pom:1.0.0-SNAPSHOT Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-ct:jar:1.0.0-SNAPSHOT Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-dcae-app-simulator:jar:1.0.0-SNAPSHOT Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-utils:jar:1.0.0-SNAPSHOT Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.4 located at Module org.onap.dcaegen2.collectors.hv-ves:hv-collector-xnf-simulator:jar:1.0.0-SNAPSHOT Vulnerability report: CVE-2018-7489	To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995).
dcaegen2/collectors/ves	org.apache.tomcat.embed	tomcat-embed-core Vulnerability report: CVE-2018-8014	Update tomcat-embed-core to 8.5.32 version
dcaegen2/collectors/ves	com.fasterxml.jackson.core	jackson-databind Vulnerable artifacts: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.6 located at Module org.onap.dcaegen2.collectors.ves:VESCollector:jar:1.3.1-SNAPSHOT Vulnerability report: `jackson-databind` is vulnerable to Remote Code Execution (RCE). The `createBeanDeserializer()` function in the `BeanDeserializerFactory` class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. 502	False Positive Classification Reasoning The application is only vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization which is not the case here.
dcaegen2/platform/inventory-api	com.fasterxml.jackson.core	jackson-databind Vulnerable artifacts: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.8.7 located at Module org.onap.dcaegen2.platform:inventory-api:jar:3.0.3 Vulnerability report: CVE-2017-7525 `jackson-databind` is vulnerable to Remote Code Execution (RCE). The `createBeanDeserializer()` function in the `BeanDeserializerFactory` class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.	False Positive Classification Reasoning According to these description, and the fact that the org.onap.dcaegen2.platform:inventory-api code does not enable use of global type information, using Class name as the type id, we believe that this report is a false positive.
dcaegen2/platform/inventory-api	org.eclipse.jetty	jetty-http, 9.4.2.v20170220 Vulnerability report: CVE-2017-7657 CVE-2017-7658	Upgrade to latest version - 9.4.12.v20180830
dcaegen2/platform/inventory-api	org.eclipse.jetty	jetty-server, 9.4.2.v20170220 Vulnerability report: CVE-2018-12538	Upgrade to latest version - 9.4.12.v20180830
dcaegen2/services/mapper	org.codehaus.groovy	groovy-all, 2.4.4 Vulnerability report: CVE-2016-6814	Upgrade to latest version - 2.4.15
dcaegen2/services/mapper	org.apache.tomcat.embed	tomcat-embed-core, 8.5.31 Vulnerability report: CVE-2018-8014	Update tomcat-embed-core to 8.5.32 version
dcaegen2/services/mapper	org.springframework	spring-expression, 5.0.3.RELEASE Vulnerability report: CVE-2018-1270	Update to 5.0.9.RELEASE version
dcaegen2/services/mapper	com.fasterxml.jackson.core	jackson-databind, 2.9.5 Vulnerable artifacts: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.5 located at Module org.onap.dcaegen2.services.mapper.vesadapter:UniversalVesAdapter:jar:0.0.1 Vulnerability report: SONATYPE-2017-0312 `jackson-databind` is vulnerable to Remote Code Execution (RCE). The `createBeanDeserializer()` function in the `BeanDeserializerFactory` class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.	To be assessed Jackson version can be updated to 2.9.6 (for consistency within application) and recommendation below for 2.9.6 can be addressed.
dcaegen2/services/mapper	com.fasterxml.jackson.core	jackson-databind, 2.9.6 Vulnerable artifacts: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.6 located at Module org.onap.dcaegen2.services.mapper:snmpmapper:jar:0.0.1-SNAPSHOT Vulnerability report: SONATYPE-2017-0312 `jackson-databind` is vulnerable to Remote Code Execution (RCE). The `createBeanDeserializer()` function in the `BeanDeserializerFactory` class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.	To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995).
dcaegen2/services/mapper	org.springframework.data	spring-data-commons, 2.0.6.RELEASE Vulnerability report: CVE-2018-1259	Update to 2.0.8.RELEASE version
dcaegen2/services/mapper	xerces	xercesImpl,2.11.0-atlassian-01 Vulnerability report: CVE-2012-0881	Update to 2.12.0 version
dcaegen2/services/mapper	org.apache.httpcomponents	httpclient, 4.5.2 Vulnerability report: SONATYPE-2017-0359 Sonatype CWE: 22 The Apache httpcomponents component is vulnerable to Directory Traversal. The `normalizePath()` function in the `URIBuilder` class allows directory traversal characters such as `../`. An attacker can exploit this vulnerability by sending a specially crafted request containing this sequence in the URL path, allowing the attacker to traverse beyond the allowed directory and retrieve the contents of arbitrary files from the server, leading to information disclosure	Update to 4.5.3 or later
dcaegen2/services/mapper	org.springframework	spring-core, 5.0.3.RELEASE Vulnerability report: CVE-2018-1272	Update to 5.0.5.RELEASE or later version
dcaegen2/services/prh	org.apache.tomcat.embed	tomcat-embed-core, 8.5.28 Vulnerability report: CVE-2018-8014	Update to 8.5.32 version
dcaegen2/services/prh	org.bouncycastle	bcprov-jdk15on, 1.59 Vulnerable artifacts: Dependency org.bouncycastle:bcprov-jdk15on:jar:1.59 located at Module org.onap.dcaegen2.services.prh:prh-app-server:jar:1.0.0-SNAPSHOT Vulnerability report: CVE-2018-1000613 CVE-2018-1000180	No alternate (unflagged) version available. To be assessed if this dependency can be removed.
dcaegen2/services/prh	com.fasterxml.jackson.core	jackson-databind, 2.9.6 Vulnerable artifacts: Dependency com.fasterxml.jackson.core:jackson-databind:jar:2.9.6 located at Module org.onap.dcaegen2.services.mapper:snmpmapper:jar:0.0.1-SNAPSHOT Vulnerability report: SONATYPE-2017-0312 `jackson-databind` is vulnerable to Remote Code Execution (RCE). The `createBeanDeserializer()` function in the `BeanDeserializerFactory` class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it.	To be assessed if any alternative or Jackson is only used for converting between JSON to POJO only (reverse is flagged under 502 or if below is true If this component is being used as part of Spring Security, then you are not vulnerable if you are running Spring Security 4.2.3.RELEASE or greater for 4.x or Spring Security 5.0.0.M2 or greater for 5.x. (CVE-2017-4995).
		Vulnerable artifacts: Vulnerability report:

...

Versions Compared

Old Version 9

New Version 10

Key